Endpoint Protection

Salutations!

I've got a user who is running SEP 12.1.5 (RU5) that is having a problem with his weekly scheduled scans. Every week he said the scan gets stuck on this particular file:

c:\windows\syswow64\bitsprx4.dll

He said that he has let it sit there for over an hour and it never moved past this file.

We recently upgraded from version 12.1.4, but as far as I know his system is the only one that is having an issue with scans getting stuck. Any thoughts on the matter are appreciated, but a solution will be best ;)

Cheers,

Johnathan

Would need to enable VPdebugging to see get more details and possibly contact support.

How to enable Automatic Symantec Endpoint Protection (SEP) 12.1 Client Debugging, including WPP logs.

Anything special with this file? What's the size of it?

I just got an update from the employee. I asked him to run a manual scan and he said that when the scan was manually initated it completed successfully with no issue. I'll ask him to turn on VP debugging per the article you posted.

Is it Server 2008 R2 box or any other operating system?

Chetan,

The client having the issue is running Windows 7 Professional x64 SP1. Our SEPM server is running Windows Server 2008 R2 Standard, if that matters.

I had my employee report back to me this morning after his weekly scan completed. He said the scan completed successfully and took about 30 minutes to complete, which seems pretty normal to me. Obviously no solution has been found at this point, but unless his system decides to experience the problem again I probably won't have any logs to upload.
 

Thanks for the update and keep it under observation.

Is there any update?

OR

If issue has been resolved could you mark this thread as a solved with the best answer that helps you :)

It turns out that the system is continuing to scan without issues after enabling the logging as suggested by Brian. I don't think thats an actual solution, so I can't mark this as solved, but the grimlin causing the issue appears to have gone AWOL. It is strange that the issue would disappear after enabling logging, but I have no idea what changed to affect the scan.

Greetings from Austria!

I ust want to tell that we are facing something simillar on a few of our Servers (no clients so far). Until now I've seen only Windows 2012 R2 machines with a scheduled _full scan_ hanging.

• I have currently no idea what's being scanned when it appeares as the Scan-Window just shows "Scanning..."
• it always hangs after scanning just a few hundreds of files
• at some much later point in time (12+hours later) I get "Scan Suspended" in the Scan Log (not sure if it happens automatically after some kind of timeout or if it's triggered by "smc -stop")
• such stuck scan cannot be canceled. Clicking on cancel just greys-out the cancel button. Closing that scan window with "X" works, the GUI still shows "Scheduled scan in progress..."
• click on "scheduled scan in progress..." does nothing for about 2 miutes after trying to cancel that job
• clicking on "scheduled scan in progress..." after approx 2 minutes after failed cancelation opens a new "scheduled scan started on %NOW%" window and stucks at "Starting". Even that one ignores the cancel request

So far the only possibility to cancel such a job is to smc.exe -stop which takes in this case much more time than usually - about 1 minute vs. a few seconds.

I'll try to VPdebug and if I have more luck than Johnathan I'll provide it's output.

Tom

Hi Tom,

Sounds like you are experiencing the same issue I had except I am still on 2008 R2 Sp1.  You will definitely need to enable vpdebug and capture a scan.  If you see "ScanThrottling: User is not Idle. Sleeping"  through out the log try changing the scan tuning in SEPm to run scans at "Best scan performance" instead of balanced, or best application performance.  This will tax your server resources but the scan improvement is dramatic and scans seem to stop getting stuck.

If you still notice slow or stuck scans there are some scan tuning reg keys to add to  the server that force the defwatch scans (they can cause your scans to get stuck as well) to run at full speed instead of balanced.  We had to do both here to get scans back on track. These were the keys for 64 bit windows servers (though I did not test on 2012):

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\Defwatch CScan Repair Options]
"ScanTuning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\Defwatch QuickScan Options]
"ScanTuning"=dword:00000000

My thread in the forum is here for more details:

https://www-secure.symantec.com/connect/forums/couple-issues-after-upgrading-sepm-and-clients-121-ru5

Hope you get your issue resolved in a timely manner. Good luck.

Larry

Hi all,

a month later and I do not have any helpful debug log yet. Once VPdeubug was setup on that server, not even once the scan got stuck.

There's another "good news" as well - all the other previously troublesome servers except one stopped having troubles either. The "last one" got stuck twice since 10th of March. I'll try to turn on VPdebug - maybe it's really a solution :-)

I'll follow up later ...

Tom

Thanks for the tip with the scan performance - I tweaked this setting for our servers - let's see if even the "last one" gets better.

Tom